The Apple email file name, the mail header date, and the date-received metadata are all consistent.

The date-last-viewed metadata is consistent with the timestamp.

Except that the email was apparently viewed months before it existed.

There are several emails like this.

So if you are brave and you download the archive of hunter biden emails (the apple version has file mod times) from the site that is serving them, you can run unzip -l on Linux or mac on the zip file and you'll see these files in the listing:

And if you open those files you can verify that the filename is not some weird fluke, and matches the other data within the email.

And that the viewed time matches the modification time. (You'll need to be able to decipher Unix timestamp integers for the Apple metadata about last viewed and received - there's probably an online calculator for that).

And that these files were viewed months before they existed.

So yeah, that's pretty weird.

There may be some valid sequence of events that would do what I'm seeing but I'm having a hard time coming up with one.

If you power off a laptop for months it might boot with the wrong time But it should quickly acquire the correct time if it's on a network. So that shouldn't happen twice, months apart, with the same modification timestamp down to the same minute.

Tagging some peeps
@emptywheel @scottmstedman
@Pwnallthethings

@thomasafine I wonder if this was true of the drive when @malwarejake and @matthew_d_green reviewed it? @scottmstedman @Pwnallthethings

@emptywheel @thomasafine @malwarejake @scottmstedman @Pwnallthethings Would be a Jake question. I didn’t review file time stamps, just DKIM on some email.

@matthew_d_green TY @thomasafine @malwarejake @scottmstedman @Pwnallthethings